Showing results for 
Search instead for 
Did you mean: 

S2S VPN in Cisco FTD managed by FMC



Trying to establish a S2S VPN connection from FTD to Azure. The connection is up and the encrypted and decrypted packet count keeps increasing, but the Azure side is not receiving traffic. Packet trace shows its hitting the IPSec ACL and hitting the right NAT exempt rule. Packet capture on the inside interface shows the traffic coming in from Azure side and return traffic from the protected server address. The only weird thing is when doing a packet capture on the outside interface I can see interesting traffic being sent on the outside interface with Azure side destination address and Outside interface as the source. Should I be seeing that if the traffic is going through the tunnel?


7 Replies 7

encrypt <<- meaning your traffic is pass the interface you config crypto map under it 
decrypt <<- meaning your FTD success receive the traffic from Azure and IPsec success handle these traffic 

are you see both encrypt and decrypt under same IPsec SA ? i.e. under the same IPsec toward remote Peer Azure are you see encrypt and decrypt count increase ?
if Yes 
then check if there is FW Infront of your FTD that drop the packet 
if NO 
check if the traffic gone to wrong Peer 


I am seeing encrypt and decrypt under the correct IPSec SA and there is no firewall past the FTD.

Should I be seeing traffic originating from the outside Interface to the Azure server that is meant to be encrypted? I have never checked it before but I would think that I should not be able to see it if it’s getting encrypted.


even if it encrypt it use UDP/500 or UDP/4500

what inside packet no matter we need to full check that traffic go out form OUTside to Azure

I am seeing tcp/80, tcp/8080 and ICMP traffic 

you capture in FTD side or the Azure side?

On the FTD side. Packet capture on the outside interface shows traffic from with the VPN gateway address as the source and the destination address as azure side protected server address 

Screenshot (507).png
can you confirm the above 
can I see show crypto ipsec sa ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: